Configure Clients for SASL/OAUTHBEARER authentication in Confluent Platform¶
To configure Confluent Platform and Kafka clients to use SASL/OAUTHBEARER authentication with
TLS encryption when connecting to Confluent Server brokers, add the following properties
to your client’s properties file, replacing the placeholders with your
actual values:
sasl.mechanism=OAUTHBEARER
security.protocol=SASL_SSL
ssl.truststore.location=<path/to/client.truststore.jks>
ssl.truststore.password=<truststore-password>
sasl.login.callback.handler.class=org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerLoginCallbackHandler
sasl.login.connect.timeout.ms=15000 # optional
sasl.oauthbearer.token.endpoint.url=<idp-token-endpoint>
sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
clientId="<client-id>" \
clientSecret="<client-secret>" \
scope="<scope>"; # optional
The optional scope parameter defines the level of access the client is
requesting, but is required if your identity provider does not have a default
scope or your groups claim is linked to a scope.
For details on the client configuration properties used in this example, see Client Configuration Properties for Confluent Platform.
Example: Using kafka-console-consumer with SASL/OAUTHBEARER¶
Here is an example of how to run the kafka-console-consumer command-line tool
with SASL/OAUTHBEARER authentication, where the --consumer.config flag points
to the client.properties file, where the SASL/OAUTHBEARER properties are
configured:
kafka-console-consumer \
--bootstrap-server <host>:9092 \
--topic <topic-name> \
--consumer.config <path/to/client.properties>
When using SASL/OAUTHBEARER authentication, the OAuth token is usually obtained automatically by the client using the configured OAuth credentials (client ID and client secret) and the token endpoint URL. The process of acquiring and using the token is handled internally by the Kafka client libraries based on the configuration you provide. After successful authentication, the client consumes messages from the specified topic and prints them to the console (stdout).